Shiny Things

Shiny Things: Why Your Certificates Matter

Brett Gordon

By Brett Gordon, Senior Solutions Engineer 03.07.2019

Who really ever wants to be a target? Unless it is of someone’s affection, it is pretty much never a good thing. Especially in the world of cybersecurity. Now don’t get me wrong, it doesn’t take much to attract the attention of someone hacking for fun, profit, or even to make a statement, but sometimes we do things that attract unnecessary attention to ourselves.

Like leaving live systems with expired SSL certificates.

Why is this a problem? Why would an SSL certificate that has passed its expiration draw more attention to it than the elephant in the room? Before we go any further, it is important to understand what a certificate is and why it is so important.

Certificates are for more than participation

Staying away from the nuts and bolts of how SSL certificates actually work (you can read more about that here or here), we need to understand that they perform four key functions when it comes to communications across the Internet. If properly issued and implemented,

  1. they will ensure the confidentiality of our communication (read that as encryption),
  2. they will ensure the integrity of communication (read that as the message you read is the message that was actually sent),
  3. they will provide authentication of the entity at the other end of the conversation (that the party you are talking to is the party you thought you were talking to), and lastly,
  4. they will provide non-repudiation when taken all together (read that as you can prevent either party from playing the “It wasn’t me” card).

All in all, certificates are the reason we can safely shop or bank online and why we should always heed any certificate-related warnings when visiting a website. They are kind of a big deal.

Throw out expired milk

Like a driver’s license, passport, or milk in your fridge, certificates also have an expiration date. The trusted third-parties that issue certificates–these are called certificate authorities (CAs)–understand that things change and there’s a need to periodically confirm those details to help maintain the integrity of the system.

And, sure, you don’t NEED to use a trusted third-party–these are called self-signed certificates–but if you don’t, you can say goodbye to at least two of the four reasons we use certificates.

In addition, issuing agencies have a way to revoke a certificate if, for whatever reason, something goes wrong after it was originally issued. This revocation process only works before the expiration date on the certificate. Once it expires, it can no longer be revoked. Since certificates also play a role in encryption (the confidentiality and integrity we mentioned earlier) and technology keeps evolving, what may have been strong encryption yesterday is weak today, so a periodic update is warranted.

An expired cert is like leaving your front door open

Now think about this from an attacker’s standpoint. You are scanning the Internet looking for your next target when you happen upon a machine with some certificate issues. Maybe the certificate expired or maybe it wasn’t issued by a trusted CA (your browser will quickly advise you of these issues) but whatever it is, you know how important certificates are.

It attracts your attention.

Perhaps the fact that the certificate expired a while ago means someone forgot about the machine it is on. If they forgot about it, it is probably also not patched against the latest vulnerabilities. If it’s not patched, odds are there is a way in and nobody is watching it, so you can probably poke around a bit without being seen.

Sure, you have an impressive set of skills like that guy from Mr. Robot, but low hanging fruit is called that for a reason. This system warrants some further attention. After all, whatever your underlying motivation, you are the attacker and your goal is to compromise stuff–or an entire company–and this looks like a good place to start.

So before you dangle those shiny things out there and invite attention you do not need or want, get control of those certs.

Don’t let an expired certificate be your swan song

Expanse has the ability to help you find and monitor your certificates from the outside – like those that may have expired on forgotten machines. We continuously track the validity and existence of those that tie back to your organization. This is especially important in today’s agile world where many developers will either get certificates on their own or self-sign them for testing and development. Expanse can also help discover certificates that have been left over after M&A, or simply forgotten about in the shuffle of today’s fast-moving IT environments. To learn about of the certificates that Expanse can see that belong to your organization (including those that have expired!) as well as a comprehensive view of your global attack surface, request a demo of our platform.